A new set of critical vulnerabilities has been identified in Contec Health’s CMS8000 Patient Monitor, posing significant cybersecurity and patient safety risks. These vulnerabilities, which have received a CVSS v4 base score of 9.3, allow for remote exploitation with low attack complexity. The security issues identified include an Out-of-Bounds Write vulnerability, a Hidden Functionality (Backdoor), and Privacy Leakage. These flaws could lead to remote code execution, unauthorized file uploads, and exposure of sensitive patient data.
Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued safety communications addressing these risks, highlighting the potential for large-scale exploitation in healthcare environments.
Background
- Critical Infrastructure Sector: Healthcare and Public Health
- Global Deployment: The CMS8000 Patient Monitor is used worldwide.
- Manufacturer: Contec Health, headquartered in China.
- Researcher: An anonymous security researcher reported these vulnerabilities to CISA.
Risk Evaluation
Successful exploitation of these vulnerabilities can enable a malicious actor to remotely send specially crafted UDP requests, allowing them to write arbitrary data. This could result in remote code execution, unauthorized access to patient information, and even the ability to manipulate device functionality. Moreover, the device has been found to leak patient and sensor data to an unknown external network, further exacerbating security concerns.
A particularly aspect of these vulnerabilities is that simultaneous exploitation of all affected devices within a shared network is possible. This increases the risk of coordinated cyberattacks that could compromise multiple patient monitors in a single healthcare facility.
To mitigate these risks, both the FDA and CISA have released guidelines and fact sheets detailing the vulnerabilities and recommended security measures.
Technical Details
Affected Products
The vulnerabilities affect the following firmware versions of the CMS8000 Patient Monitor:
- smart3250-2.6.27-wlan2.1.7.cramfs
- CMS7.820.075.08/0.74(0.75)
- CMS7.820.120.01/0.93(0.95)
- All firmware versions (CVE-2025-0626, CVE-2025-0683)
Vulnerabilities Overview
1. Out-of-Bounds Write (CWE-787)
- CVE-2024-12248
- Allows an attacker to send specially formatted UDP requests that write arbitrary data, potentially leading to remote code execution.
- CVSS v3.1 Base Score: 9.8
- CVSS v4 Base Score: 9.3
2. Hidden Functionality (Backdoor) (CWE-912)
- CVE-2025-0626
- The device sends remote access requests to a hard-coded IP address, bypassing network settings. This could allow unauthorized actors to upload and overwrite files on the monitor.
- CVSS v3.1 Base Score: 7.5
- CVSS v4 Base Score: 7.7
3. Privacy Leakage (CWE-359)
- CVE-2025-0683
- In default configuration, the monitor transmits plain-text patient data to a hard-coded public IP address, leading to potential exposure of confidential information.
- CVSS v3.1 Base Score: 5.9
- CVSS v4 Base Score: 8.2
Mitigation Measures
Given the high severity of these vulnerabilities, the FDA and CISA strongly recommend removing affected CMS8000 Patient Monitors from networks until a secure patch is available. Additionally, organizations should implement the following security measures:
- Restrict Network Exposure: Ensure all medical devices, including patient monitors, are not accessible from the internet.
- Use Firewalls: Place affected devices behind firewalls and isolate them from business networks.
- Update Firewall Rules: Block unauthorized access to affected devices and external communication with unknown IP addresses.
- Subnet Segmentation: Ensure medical devices are located on a separate, low-privilege network segment.
- Source Equipment from Trusted Manufacturers: Avoid using rebranded or resold versions of the CMS8000 that may still contain vulnerabilities.
CISA CSAF Repository & OASIS CSAF 2.0 Standard
To enhance security automation and expedite mitigation efforts, CISA has made available security advisories in machine-readable format through its CSAF repository. This repository follows the OASIS CSAF 2.0 standard, allowing organizations to consume advisories in a structured manner and reduce response times.
The OASIS CSAF Technical Committee developed CSAF as a standardized approach for sharing security advisories in a machine-readable format, facilitating faster remediation and improving overall cybersecurity resilience. Vendors and cybersecurity professionals are encouraged to leverage this resource to stay updated on security threats and vulnerabilities.
Healthcare organizations must act swiftly to mitigate these risks by removing affected devices from their networks, implementing strict access controls, and leveraging cybersecurity best practices. Additionally, manufacturers must prioritize security updates and ensure the safety of critical medical devices.
CISA and the FDA will continue to monitor the situation and provide updated security recommendations as necessary. Organizations are encouraged to stay vigilant and proactive in securing their medical infrastructure against emerging cyber threats.
